SRX Services Gateway
SRX Services Gateway

SRX650 and high CPU usage

11.14.10   |  
‎11-14-2010 01:35 AM

Hi,

 

I have a SRX650 cluster, it's running a few BGP-session (partial tables), some OSPF, about 11 security zones, 32 policys, 2-3 bandwidth policers, and sampling. The cluster is running 10.2R2.

 

During the night i see warning in my log for high CPU-usage, 93-97% usage. The traffic during this time is 150-200Mbps and 15-20Kpps.

 

Should'nt a SRX650 cope with more than this? Could it be my sampling that is causing the CPU to go so high?

 

Regards

Freddy

6 REPLIES
SRX Services Gateway

Re: SRX650 and high CPU usage

11.14.10   |  
‎11-14-2010 04:02 AM

The SRX650 should easily be able to cope with only 200mbps.

 

Which CPU usage is high, PFE or RE? If its the routing engine, first thing to look at would be bgp/ospf updates, if its PFE then my first guess would be the sampling as well.

SRX Services Gateway

Re: SRX650 and high CPU usage

11.14.10   |  
‎11-14-2010 09:21 AM

Aggressive sampling can put quite a load on the system.  The other thing that comes to mind is using NSM for logging as it can result in higher CPU usage.  The best option for both, in my opinon, is to export syslog to a server, such as STRM/QRadar or Splunk and poll system usage via SNMP.

 

mawr

SRX Services Gateway

Re: SRX650 and high CPU usage

11.14.10   |  
‎11-14-2010 09:29 AM

I have disabled sampling and will have to see tonight if the CPU warnings are gone.

 

Currently my sampling-rate is 1, what do others use? SNMP don't give me the same accuracy.

SRX Services Gateway

Re: SRX650 and high CPU usage

11.14.10   |  
‎11-14-2010 12:57 PM

Syslog messages contain a healthy amount of information to parse.  Here is an example of a structured message:

 

RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="TCP FIN" source-address="192.168.1.200" source-port="3968" destination-address="208.111.156.196" destination-port="80" service-name="junos-http" nat-source-address="216.114.217.242" nat-source-port="19623" nat-destination-address="208.111.156.196" nat-destination-port="80" src-nat-rule-name="trust-source-nat-rule" dst-nat-rule-name="None" protocol-id="6" policy-name="trust-http" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15356" packets-from-client="15" bytes-from-client="3386" packets-from-server="23" bytes-from-server="7331" elapsed-time="12"]

 

mawr

SRX Services Gateway

Re: SRX650 and high CPU usage

11.16.10   |  
‎11-16-2010 08:58 PM

Sampling rate 1 means you are essentially sampling every packet. This is too much. Should consider increasing the rate to something more reasonable like 100 or more.

 

-Richard

SRX Services Gateway

Re: SRX650 and high CPU usage

11.17.10   |  
‎11-17-2010 05:07 AM

Check out Pato's first reply in this thread.  It may help differentiate Jflow and Syslog for traffic reporting on SRX and J-series devices.

 

mawr